Andr/BBridge-A is a Trojan family that targets Android devices. When run it first time, the Trojan drops its payload (located in “assets/anServerB.so” in the original package) as com.sec.android.bridge.apk, and pops up a button to ask users to install it.
The Trojan collects the following information and sends it to a remote site via http:
- Subscriber ID (e.g. IMSI for a GSM phone)
- IMEI
- Phone number
- Network country ISO
- Phone model
- Android OS version
- Sim Card info
The payload also contains the following functionalities:
- Send SMS messages
- Scan SMS messages
- Remove SMS messages from the inbox (sush as messages from China Mobile that contains message body “尊敬的用户,由于未经您的授权,本次请求未成功,如需使用,请致电10086进行开通,中国移动。”) in order to prevent users from getting fee consumption updates
Examples of Andr/BBridge-A include:
Example 1
File Information
- Size
- 34K
- SHA-1
- adc8ac7b72a1055438773e7f075028df681d987c
- MD5
- b2d359952bce1823d29e182dacac159c
- CRC-32
- d0b2666c
- File type
- Android application package (APK) file
- First seen
- 2011-06-07
Example 2
File Information
- Size
- 60K
- SHA-1
- 0058d4662d93ba9d020b60e37c4d0990ebc39377
- MD5
- 46b032d5b03503cada509bd5fc1b386e
- CRC-32
- 9ae64807
- File type
- Unspecified binary - probably data
- First seen
- 2012-04-26
Example 3
File Information
- Size
- 120K
- SHA-1
- 00b8f63dc511d726e93f0c622e56ca988389c0e7
- MD5
- 225e510581e3a02cfd071b6c3a73aa66
- CRC-32
- be6afa91
- File type
- Unspecified binary - probably data
- First seen
- 2012-07-08